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CLAIMS 

What is claimed is: 



1 1 . A communication switch comprising: 

2 at least one input for receiving messages, each message including, 

3 an address specifier, and 

4 a port specifier; 

5 a traffic analyzer for comparing the port specifier of a first message against the port specifiers 

6 of previously received messages; and 

7 an output for reporting a result of the comparing. 

1 2. The communication switch of claim 1 further comprising: 

2 Q a usage tracking system for throttling traffic through the communication switch. 

S3. 

1 It 3. The communication switch of claim 2 wherein: 

2 f * the usage tracking system includes means for throttling traffic according to address specifier 

3 fit and port specifier in combination. 

1 ^ 4. The communication switch of claim 2 wherein: 

2 the usage tracking system includes means for throttling traffic according to a predetermined 

3 |n maximum aggregate bandwidth for the communication switch. 

1 r ™ 5. The communication switch of claim 1 wherein: 

2 the traffic analyzer is further for reporting fraud over the output. 

1 6. The communication switch of claim 1 wherein: 

2 the traffic analyzer is further for comparing the address specifier and port specifier 

3 combination of the first message against the address specifier and port specifier combinations of the 

4 previously seen messages. 

1 7. The communication switch of claim 1 wherein: 

2 each message further includes, 

3 a traffic type specifier; and 
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the traffic analyzer is further for comparing the traffic type specifier of the first message 
against the traffic type specifiers of the previously received messages. 

8. The communication switch of claim 1 wherein: 
each message further includes, 

a traffic type specifier; and 
the traffic analyzer is further for comparing the address specifier, port specifier, and traffic 
type specifier of the first message against the address specifier, port specifier, and traffic type 
specifier combinations of the previously received messages. 

9. A server for use with a communication switch, the server comprising: 

an I/O for communicating messages and alerts between the communication switch and the 

server; 

a billing system for providing a maximum bandwidth indication to the communication 
switch; and 

a fraud detection system for receiving fraud alerts from the communication switch. 

10. The server of claim 9 wherein: 

the fraud detection system is responsive to fraud alerts indicating excessive traffic on an 
address:port combination at the communication switch. 

1 1 . The server of claim 10 wherein: 

the fraud detection system is further responsive to fraud alerts indicating a likelihood of IP 
masquerading. 

12. The server of claim 10 wherein: 

the fraud detection system is responsive to fraud alerts based upon address:port:type 
combination. 

13. A method comprising: 

receiving a message which includes an address:port identifier; 

comparing the address:port identifier against previously received messages' address:port 
identifiers; and 
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5 determining whether excessive traffic is originating from a source identified by the 

6 address:port identifier. 

1 14. The method of claim 13 further comprising: 

2 throttling message traffic in response to determining that excessive traffic is originating from 

3 the source. 

1 15. The method of claim 14 wherein the throttling comprises: 

2 throttling message traffic to and/or from that source. 

1 16. The method of claim 13 wherein the message further includes a type specifier, the method 

2 further comprising: 

3 comparing the type specifier against type specifiers of previously received messages from the 

4 _ same address:port as the message; and 

5 \l determining whether the source is issuing messages of different types such as indicate fraud. 

1 \z 17. The method of claim 16 further comprising: 

2 I* sending a fraud alert in response to determining that the source is issuing messages of 

3 CO different types such as indicate fraud. 



1 i* 1 8. The method of claim 13 further comprising: 

2 j;* recording the message for use in future comparisons against future messages. 

1 u 19. The method of claim 13 further comprising: 

2 receiving an indication of a maximum bandwidth; and 

3 throttling message traffic in response to the indication of the maximum bandwidth. 

1 20. A customer premises gateway for communicating with an ISP premises head-end server, the 

2 customer premises gateway comprising: 

3 at least one first I/O each for connecting to a communication device; 

4 a second I/O for connecting to the ISP premises head-end server; and 

5 a traffic analyzer coupled to the at least one first I/O and the second I/O, including 

6 a port identifier comparator, 

7 a throttling mechanism, and 
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8 a fraud reporter. 

1 21 . The customer premises gateway of claim 20 wherein the traffic analyzer further includes: 

2 a message type analyzer. 

1 22. A machine accessible medium including therein instructions which, when executed by the 

2 machine, cause the machine to: 

3 compare a first address:port combination of a message against a second address:port 

4 combination of a previously received message; and 

5 responsive to the address:port comparison, determine whether excessive traffic is going 

6 to/from the first address:port combination. 

1 23. The machine accessible medium of claim 22 further including therein instructions which, 

2 when executed by the machine, cause the machine to further: 

: s 
%~ 

3 kJ throttle traffic to/from the first address:port combination. 

t rs 

1 [7 24. The machine accessible medium of claim 23 further including therein instructions which, 

2 M when executed by the machine, cause the machine to further: 

Fil 

3 j a report fraud. 

5 

1 \ ~\ 25. The machine accessible medium of claim 22 further including therein instructions which, 

2 H when executed by the machine, cause the machine to further: 

3 p compare a first type specifier of the message against a second type specifier of the previously 

4 f " received message; and 

5 responsive to the type specifier comparison, determine whether the first address:port 

6 identifies a router performing address:port masquerading. 

1 26. The machine accessible medium of claim 25 further including therein instructions which, 

2 when executed by the machine, cause the machine to further: 

3 report the masquerading. 

1 27. A method for a communication switch to detect that a device connected to the 

2 communication switch is a router, comprising: 

3 receiving from the device a message including address and sub-address identifiers; 
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4 comparing the address and sub-address identifiers against one or more previously received 

5 messages; and 

6 detecting that the address and sub-address identifiers indicate that the device is performing 

7 masquerading. 

1 28. The method of claim 27 wherein the detecting comprises: 

2 observing a first message type indicator in the message and a different message type indicator 

3 in at least one of the previously received messages. 



29. The method of claim 27 further comprising: 

recording the address and sub-address identifiers of the message; 
receiving a second message; and 

comparing the second message's address and sub-address identifiers against the recorded 
address and sub-address identifiers. 

30. The method of claim 27 wherein: 

the address identifier comprises an Internet Protocol address; and 
the sub-address identifier comprises a port number. 

3 1 . The method of claim 27 further comprising: 

responsive to detecting masquerading, sending a fraud alert to a server. 

32. The method of claim 27 further comprising: 
throttling message transmission. 



1 33. The method of claim 27 further comprising: 

2 comparing a message type identifier of the message against one or more previously received 

3 messages; and 

4 detecting that the message type identifier of the message is different than a message type 

5 identifier of a previously received message having a same address identifier and a same sub-address 

6 identifier as the message. 

1 34. The method of claim 33 wherein: 

2 the address identifier comprises an Internet Protocol address; 
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the sub-address identifier comprises a port number; and 

the message type identifier comprises one of an HTTP specifier and an FTP specifier. 
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